package com.Apo1o.security;

import lombok.RequiredArgsConstructor;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.factory.PasswordEncoderFactories;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;

@Configuration
@RequiredArgsConstructor
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    private final UserLoadSecurityServiceImpl userLoadSecurityService;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userLoadSecurityService);
    }

/**
 * 配置HTTP安全设置，定义Spring Security如何处理HTTP请求。
 *
 * @param http 用于配置HttpSecurity的对象。
 * @throws Exception 如果配置过程中发生错误。
 */
@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
//            // 为/public/**路径配置权限，需具有patient、doctor或admin任意权限
//            .mvcMatchers("/public/**").hasAnyAuthority("patient", "doctor", "admin")
//            // 为/patient/**路径配置权限，需具有patient、admin或doctor任意权限
//            .mvcMatchers("/patient/**").hasAnyAuthority("patient", "admin", "doctor")
//            // 为/doctor/**路径配置权限，需具有doctor或admin任意权限
//            .mvcMatchers("/doctor/**").hasAnyAuthority("doctor", "admin")
//            // 为/admin/**路径配置权限，仅限admin权限
//            .mvcMatchers("/admin/**").hasAnyAuthority("admin")
            // 允许所有用户访问/util/**、/common/**、/actuator/**和/api/**路径
            .mvcMatchers("/util/**", "/common/**", "/actuator/**", "/api/**").permitAll()

            // 对其他所有请求要求用户已认证
            .anyRequest().authenticated()

            .and()

            // 在BasicAuthenticationFilter之前添加自定义的TokenAuthFilter进行token认证
            .addFilterBefore(new TokenAuthFilter(authenticationManager()), BasicAuthenticationFilter.class)

            // 配置异常处理，定义访问被拒绝和未认证访问时的处理方式
            .exceptionHandling()
            .accessDeniedHandler(new MyAccessDeniedHandler())
            .authenticationEntryPoint(new MyAuthenticationEntryPointHandler())

            // 禁用默认的CSRF保护，适用于前后端分离应用中的REST服务
            .and().csrf().disable();

    // 禁用表单登录
    http.formLogin().disable();
    // 禁用退出功能
    http.logout().disable();

    // 设置会话管理策略为无状态，以提升性能
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}


    @Override
    public void configure(WebSecurity web) {
        web.ignoring()

                .antMatchers("/util/**", "/common/**")
                .antMatchers("/actuator/**")
                .antMatchers("/api/**")
                .antMatchers("/swagger-ui.html", "/swagger-resources/**", "/webjars/**", "/v2/**");
    }
    @Bean
    public PasswordEncoder passwordEncoder() {
        return PasswordEncoderFactories.createDelegatingPasswordEncoder();
    }
}

